HP's '2011 Mid-year Top Cyber Security Risks Report' found that just over 3,000 new commercial web vulnerabilities were disclosed in the first half of 2011, down 25% from the same period last year.
At the same time, HP’s Application Security Center conducted scans of 236 static web applications and found that 69% contained at least one SQL injection vulnerability and 42% contained persistent cross-site scripting vulnerabilities.
HP explained that the discrepancy is due to organizations not patching pre-existing vulnerabilities in commercial web apps, leaving low hanging fruit for attacks to exploit, and/or to a growing number of custom-developed web apps that have vulnerabilities that cannot be protected with commercially available security products.
HP also found that the number of attacks on web applications is growing exponentially. Attacks on web applications have increased by 26% for the first half of 2011, compared with the same period last year, according to data compiled by the HP TippingPoint intrusion prevention system.
“Looking at all these data points together, it’s clear that attackers simply do not need to rely on new web app vulnerabilities to launch their exploits. They are able to execute successful and profitable attacks using older information and techniques”, concluded HP.